Torturing the Secret out of a Secure Chip

A trick for subverting secure transactions is publicized so the bad guys can't exploit it

1 April 2010—A new chink has been found in the cryptographic armor that protects bank transactions, credit-card payments, and other secure Internet traffic. And although programmers have devised a patch for it, clever hackers might still be able to break through.

The hack, presented in March at a computer security conference in Dresden, Germany, involves lowering the input voltage on a computer’s cryptography chip set and collecting the errors that leak out when the power-starved chips try and (sometimes) fail to encode messages. Crooks would then use those errors to reconstruct the secret key on which the encryption is based. More important, say the hack’s creators, the same attack could also be performed from afar on stressed systems, such as computer motherboards that run too hot or Web servers that run too fast.

The attacks would succeed because the standard cryptographic functions (called OpenSSL) don’t always double-check their work before sending it out into the world. The researchers found that an encrypting chip running on low voltage might not scramble the digits thoroughly, leaving instead the digital relics of four to eight bits of the secret key that encoded the message. With the right kind of guesswork and some clever math, the researchers say, those snippets could be picked off, one at a time, until the entire 1024-bit crypto key was decoded.

By manipulating a crypto chip on their lab bench, the research team cracked the commonplace RSA 1024 computer security standard (which typically uses OpenSSL) in 104 hours. As a result, the authors of the new study say, even supposedly ironclad secure crypto systems could be broken—at least in laboratory environments—if persistently attacked for hundreds of hours. Compared to the ”age of the universe” timescales supposedly needed for brute force to guess the codes that could crack standard Internet security protocols, the new attack represents a step forward for evil.

”We work in resilient system design; we spend most of our time trying to fix faults,” says the paper’s coauthor Todd Austin, who is a professor of electrical engineering and computer science at the University of Michigan. ”So we know how to inject [faults] in so they’re really evil and can’t be found.”

Austin, along with Michigan colleagues Valeria Bertacco and Andrea Pellegrini, designed and publicized their hack so that the forces of good could prevent it from falling into the wrong hands. The researchers also wrote a patch for OpenSSL that ensures it always double-checks its encryption before transmitting any encrypted message.

On the other hand, even if system administrators all over the world patched every Web server running OpenSSL tomorrow, Austin says, there are still millions of other computer chips (smart cards, mobile phones, motherboards on pay-TV boxes) that come with OpenSSL hard-coded. These would be more difficult to patch or update.

Photo: University of Michigan

Things may not be quite so bad, suggests Paul Kocher, a consultant in San Francisco and the coauthor of SSL (the precursor to OpenSSL). Real-world Web servers—even overheated or overclocked ones—are not going to reliably kick out the calculation errors by the thousands required for an attack.

An attacker would effectively need to have physical access to a system to make this attack work, Kocher says. ”For a Web server, you don’t let in any bad guy who wants to come in and play with the power supply,” he says. ”You keep it behind locked doors for reasons that go far beyond just this kind of attack. Practical consequences for Web servers I would say are pretty slim.”

University of Massachusetts professor of computer science Kevin Fu says he doubts that the attack, which was staged in a lab with an easily manipulated crypto chip, could easily be executed by real-world hackers.

”In order for this attack to work in practice, the adversary needs to have access to...the electricity to a specific pin on a chip,” Fu says. ”There’s a big difference between a power outage of a building and controlling precise micropower fluctuations.”

About the Author

Mark Anderson is an author and science writer based in Northampton, Mass. He wrote about proton-slinging CT scanners for the February 2010 edition of IEEE Spectrum.